The security issue is caused due to cURL following HTTP Location:
redirects to e.g. scp:// or file:// URLs which can be exploited
by a malicious HTTP server to overwrite or disclose the content of
arbitrary local files and potentially execute arbitrary commands via
specially crafted redirect URLs.

libcurl's URL parser function can overflow a malloced
buffer in two ways, if given a too long URL.

1 - pass in a URL with no protocol (like "http://")
prefix, using no slash and the string is 256 bytes or
longer. This leads to a single zero byte overflow of the
malloced buffer.

2 - pass in a URL with only a question mark as separator
(no slash) between the host and the query part of the URL.
This leads to a single zero byte overflow of the malloced
buffer.

Both overflows can be made with the same input string,
leading to two single zero byte overwrites.

The affected flaw cannot be triggered by a redirect, but
the long URL must be passed in "directly" to libcurl. It
makes this a "local" problem. Of course, lots of programs
may still pass in user-provided URLs to libcurl without doing
much syntax checking of their own, allowing a user to exploit
this vulnerability.

Using the affected libcurl version to download compressed
content over HTTP, an application can ask libcurl to
automatically uncompress data. When doing so, libcurl
can wrongly send data up to 64K in size to the callback
which thus is much larger than the documented maximum
size.

An application that blindly trusts libcurl's max limit
for a fixed buffer size or similar is then a possible
target for a buffer overflow vulnerability.

Using the affected libcurl version to download compressed
content over HTTP, an application can ask libcurl to
automatically uncompress data. When doing so, libcurl
can wrongly send data up to 64K in size to the callback
which thus is much larger than the documented maximum
size.

An application that blindly trusts libcurl's max limit
for a fixed buffer size or similar is then a possible
target for a buffer overflow vulnerability.

The security issue is caused due to cURL following HTTP Location:
redirects to e.g. scp:// or file:// URLs which can be exploited
by a malicious HTTP server to overwrite or disclose the content of
arbitrary local files and potentially execute arbitrary commands via
specially crafted redirect URLs.

libcurl's URL parser function can overflow a malloced
buffer in two ways, if given a too long URL.

1 - pass in a URL with no protocol (like "http://")
prefix, using no slash and the string is 256 bytes or
longer. This leads to a single zero byte overflow of the
malloced buffer.

2 - pass in a URL with only a question mark as separator
(no slash) between the host and the query part of the URL.
This leads to a single zero byte overflow of the malloced
buffer.

Both overflows can be made with the same input string,
leading to two single zero byte overwrites.

The affected flaw cannot be triggered by a redirect, but
the long URL must be passed in "directly" to libcurl. It
makes this a "local" problem. Of course, lots of programs
may still pass in user-provided URLs to libcurl without doing
much syntax checking of their own, allowing a user to exploit
this vulnerability.